# Send clawsec-nanoclaw to your agent
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
## Fast path
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
## Suggested prompts
### New install

```text
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete.
```
### Upgrade existing

```text
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run.
```
## Machine-readable fields
```json
{
  "schemaVersion": "1.0",
  "item": {
    "slug": "clawsec-nanoclaw",
    "name": "clawsec-nanoclaw",
    "source": "tencent",
    "type": "skill",
    "category": "安全合规",
    "sourceUrl": "https://clawhub.ai/davida-ps/clawsec-nanoclaw",
    "canonicalUrl": "https://clawhub.ai/davida-ps/clawsec-nanoclaw",
    "targetPlatform": "OpenClaw"
  },
  "install": {
    "downloadUrl": "/downloads/clawsec-nanoclaw",
    "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=clawsec-nanoclaw",
    "sourcePlatform": "tencent",
    "targetPlatform": "OpenClaw",
    "packageFormat": "ZIP package",
    "primaryDoc": "SKILL.md",
    "includedAssets": [
      "CHANGELOG.md",
      "INSTALL.md",
      "README.md",
      "SKILL.md",
      "docs/INTEGRITY.md",
      "docs/SKILL_SIGNING.md"
    ],
    "downloadMode": "redirect",
    "sourceHealth": {
      "source": "tencent",
      "status": "healthy",
      "reason": "direct_download_ok",
      "recommendedAction": "download",
      "checkedAt": "2026-04-23T16:43:11.935Z",
      "expiresAt": "2026-04-30T16:43:11.935Z",
      "httpStatus": 200,
      "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard",
      "contentType": "application/zip",
      "probeMethod": "head",
      "details": {
        "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard",
        "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"",
        "redirectLocation": null,
        "bodySnippet": null
      },
      "scope": "source",
      "summary": "Source download looks usable.",
      "detail": "Yavira can redirect you to the upstream package for this source.",
      "primaryActionLabel": "Download for OpenClaw",
      "primaryActionHref": "/downloads/clawsec-nanoclaw"
    },
    "validation": {
      "installChecklist": [
        "Use the Yavira download entry.",
        "Review SKILL.md after the package is downloaded.",
        "Confirm the extracted package contains the expected setup assets."
      ],
      "postInstallChecks": [
        "Confirm the extracted package includes the expected docs or setup files.",
        "Validate the skill or prompts are available in your target agent workspace.",
        "Capture any manual follow-up steps the agent could not complete."
      ]
    }
  },
  "links": {
    "detailUrl": "https://openagent3.xyz/skills/clawsec-nanoclaw",
    "downloadUrl": "https://openagent3.xyz/downloads/clawsec-nanoclaw",
    "agentUrl": "https://openagent3.xyz/skills/clawsec-nanoclaw/agent",
    "manifestUrl": "https://openagent3.xyz/skills/clawsec-nanoclaw/agent.json",
    "briefUrl": "https://openagent3.xyz/skills/clawsec-nanoclaw/agent.md"
  }
}
```
## Documentation

### ClawSec for NanoClaw

Security advisory monitoring that protects your WhatsApp bot from known vulnerabilities in skills and dependencies.

### Overview

ClawSec provides MCP tools that check installed skills against a curated feed of security advisories. It prevents installation of vulnerable skills, includes exploitability context for triage, and alerts you to issues in existing ones.

Core principle: Check before you install. Monitor what's running.

### When to Use

Use ClawSec tools when:

Installing a new skill (check safety first)
User asks "are my skills secure?"
Investigating suspicious behavior
Regular security audits
After receiving security notifications

Do NOT use for:

Code review (use other tools)
Performance issues (different concern)
General debugging

### Pre-Installation Check

// Before installing any skill
const safety = await tools.clawsec_check_skill_safety({
  skillName: 'new-skill',
  skillVersion: '1.0.0'  // optional
});

if (!safety.safe) {
  // Show user the risks before proceeding
  console.warn(\`Security issues: ${safety.advisories.map(a => a.id)}\`);
}

### Security Audit

// Check all installed skills (defaults to ~/.claude/skills in the container)
const result = await tools.clawsec_check_advisories({
  installRoot: '/home/node/.claude/skills'  // optional
});

if (result.matches.some((m) =>
  m.advisory.severity === 'critical' || m.advisory.exploitability_score === 'high'
)) {
  // Alert user immediately
  console.error('Urgent advisories found!');
}

### Browse Advisories

// List advisories with filters
const advisories = await tools.clawsec_list_advisories({
  severity: 'high',               // optional
  exploitabilityScore: 'high'     // optional
});

### Quick Reference

TaskToolKey ParameterPre-install checkclawsec_check_skill_safetyskillNameAudit all skillsclawsec_check_advisoriesinstallRoot (optional)Browse feedclawsec_list_advisoriesseverity, type, exploitabilityScore (optional)Verify package signatureclawsec_verify_skill_packagepackagePathRefresh advisory cacheclawsec_refresh_cache(none)Check file integrityclawsec_check_integritymode, autoRestore (optional)Approve file changeclawsec_approve_changepathView baseline statusclawsec_integrity_statuspath (optional)Verify audit logclawsec_verify_audit(none)

### Pattern 1: Safe Skill Installation

// ALWAYS check before installing
const safety = await tools.clawsec_check_skill_safety({
  skillName: userRequestedSkill
});

if (safety.safe) {
  // Proceed with installation
  await installSkill(userRequestedSkill);
} else {
  // Show user the risks and get confirmation
  await showSecurityWarning(safety.advisories);
  if (await getUserConfirmation()) {
    await installSkill(userRequestedSkill);
  }
}

### Pattern 2: Periodic Security Check

// Add to scheduled tasks
schedule_task({
  prompt: "Check advisories using clawsec_check_advisories and alert when critical or high-exploitability matches appear",
  schedule_type: "cron",
  schedule_value: "0 9 * * *"  // Daily at 9am
});

### Pattern 3: User Security Query

User: "Are my skills secure?"

You: I'll check installed skills for known vulnerabilities.
[Use clawsec_check_advisories]

Response:
✅ No urgent issues found.
- 2 low-severity/low-exploitability advisories
- All skills up to date

### ❌ Installing without checking

// DON'T
await installSkill('untrusted-skill');

// DO
const safety = await tools.clawsec_check_skill_safety({
  skillName: 'untrusted-skill'
});
if (safety.safe) await installSkill('untrusted-skill');

### ❌ Ignoring exploitability context

// DON'T: Use severity only
if (advisory.severity === 'high') {
  notifyNow(advisory);
}

// DO: Use exploitability + severity
if (
  advisory.exploitability_score === 'high' ||
  advisory.severity === 'critical'
) {
  notifyNow(advisory);
}

### ❌ Skipping critical severity

// DON'T: Ignore high exploitability in medium severity advisories
if (advisory.severity === 'critical') alert();

// DO: Prioritize exploitability and severity together
if (advisory.exploitability_score === 'high' || advisory.severity === 'critical') {
  // Alert immediately
}

### Implementation Details

Feed Source: https://clawsec.prompt.security/advisories/feed.json

Update Frequency: Every 6 hours (automatic)

Signature Verification: Ed25519 signed feeds
Package Verification Policy: pinned key only, bounded package/signature paths

Cache Location: /workspace/project/data/clawsec-advisory-cache.json

See INSTALL.md for setup and docs/ for advanced usage.

### Real-World Impact

Prevents installation of skills with known RCE vulnerabilities
Alerts to supply chain attacks in dependencies
Provides actionable remediation steps
Zero false positives (curated feed only)
## Trust
- Source: tencent
- Verification: Indexed source record
- Publisher: davida-ps
- Version: 0.0.3
## Source health
- Status: healthy
- Source download looks usable.
- Yavira can redirect you to the upstream package for this source.
- Health scope: source
- Reason: direct_download_ok
- Checked at: 2026-04-23T16:43:11.935Z
- Expires at: 2026-04-30T16:43:11.935Z
- Recommended action: Download for OpenClaw
## Links
- [Detail page](https://openagent3.xyz/skills/clawsec-nanoclaw)
- [Send to Agent page](https://openagent3.xyz/skills/clawsec-nanoclaw/agent)
- [JSON manifest](https://openagent3.xyz/skills/clawsec-nanoclaw/agent.json)
- [Markdown brief](https://openagent3.xyz/skills/clawsec-nanoclaw/agent.md)
- [Download page](https://openagent3.xyz/downloads/clawsec-nanoclaw)